Deconstructing the Fake FTC E-mail Virus Attack
A targeted e-mail virus disguised as an identity theft inquiry from the Federal Trade Commission appears to have successfully compromised more than 500 PCs, including victims at banks, real estate brokerages, law firms and marketing companies.
Each of the victims received the invitation to open the virus-infected attachment via an e-mail that addressed the recipient by name, and in some cases included the name of the recipient's employer. Security Fix was able to gain access to one of several Internet addresses where data stolen from victims' PCs was uploaded by the virus. The link did not require a user name or password. There are several security outfits working to get the site taken down, but the longer it stays live there is the potential that the sensitive information could be obtained by more criminals.
It's not clear how the attacker selected targets, but one thing is increasingly clear: Malicious e-mail virus and "phishing" attacks that most of us have become accustomed to deleting are beginning to shift from indiscriminate, blast-as-many-spams-as-you-can assaults to sophisticated attacks that use information gleaned from previous data thefts to target individual e-mail users. The end result is that a far higher percentage of recipients actually open the poisoned attachments, and in some cases even forward the message on to a trusted friend, co-worker, or subordinate.
Recipients running Microsoft Windows who clicked on the attachment in the bogus FTC e-mail were warned by Windows that an executable file (a program installer) was about to run, and given the chance to decline the execution. Anyone who ignored that warning witnessed yet another social engineering feat. The invading program then produced a pop-up alert complaining that Microsoft Word had crashed, and that the user could double-click on a provided icon to restart Word. It was in double-clicking on that "OK" tab that victims were setting the final stages for allowing a Trojan horse program to invade their machines and record every single keystroke that they typed from there on out.
The malicious program doesn't just record every finger tap made by the user. In addition, the malware author has coded his software to let him view his victim's Windows desktop in real time. Real time, as in the attacker can take screen shots while the victim surfs the Web, including when someone logs into a bank account or other sites requiring passwords.
The person who masterminded this attack even took screen shots of his own desktop, presumably to test his malware to make sure it functioned properly (note that his Windows desktop is in Russian with Cyrillic characters). A short snippet of commands he typed on his own computer -- along with his own IP address -- also appeared in the cache of stolen data on the Web site where the Trojan horse uploads stolen data.
The individual responsible for this virus lives in the Ukraine and writes his own malicious software, according to Matthew Richard, director of the rapid response team for iDefense, a security firm owned by Verisign.
To illustrate the remote control features of the malware, check out the screenshot below, which the perpetrator took when one of his victims was alerted to the presence of his program by an antivirus program -- score one for antivirus vendor AVG. (Note the Excel file named "Credit Cards August" on the would-be victim's desktop!).
According to VirusTotal.com, an online tool that uses the combined power of more than two-dozen antivirus programs to scan for new malware, this piece of malicious software was so selectively spammed that it remains undetected by the majority of the antivirus products on the market today. In fact, as late as Nov. 1, a confirmed victim's machine passed a full system software scan from an up-to-date version of Symantec's Norton antivirus.
iDefense's Richard said it was remarkable that the AVG software detected the this piece of malware, which was hand-made and only sent to a few thousand victims. "The stuff he's writing is very custom, so there's generally zero detection available for this type of malware for weeks at a time," Richard said. "Antivirus is nearly worthless when it comes to [detecting] custom attacks."
So who were the victims of this attack, which -- despite a fair amount of media attention -- appears to be gaining new victims with each passing hour? Most of the two dozen or so that I spoke with fell into one of four camps -- real estate brokers, marketing companies, law firms and pharmaceutical providers. Several news media sources were among the victims. In fact, I personally alerted a victim at The Washington Post.
The SANS Internet Storm Center earlier this week posted an alert about the fake FTC e-mail that appeared to tie the attack to a database of sales leads allegedly stolen from Salesforce.com. Last week, Security Fix published evidence suggesting that a database compromise at Salesforce.com had led to a similar series of targeted malicious e-mail virus attacks against several industry sectors, including numerous bank customers.
A great many of the victims I contacted were confirmed users of Salesforce.com's database. Still, it's not clear yet how the database breach occurred and Salesforce.com may not have been the negligent party. But one aspect of this attack remains very curious: Out of nearly 500 people who were victimized by this particular Trojan horse program over the past 72 hours, the attacker chose to take screen shots of just a handful of them. Among those he decided to snapshot was a person logging into a user account at Salesforce.com, which you can see in the image to the left.
If there is a moral to this story, it is this: E-mail has become such an untrustworthy medium that even messages addressing you by name should be treated with the utmost suspicion, particularly those that ask you to open an e-mail attachment or click on an included link. If a message comes from someone you don't know, delete it. If it appears to have been sent from a friend or family member, reply to the message and ask for confirmation that the sender indeed meant for you to view that e-mail attachment.
Update, 1:12 p.m. ET, Nov. 6: Care to know just how bad anti-virus detection is for the keystroke logging program used in this attack? Check out the results of a scan at VirusTotal.com viewable here. Only 15 out of 31 different anti-virus programs currently detect it as malicious. That's less than a 50 percent detection rate for a piece of malware that was first spammed out more than two weeks ago.
November 5, 2007; 6:00 AM ET
Categories: Fraud , From the Bunker , Latest Warnings , Safety Tips , U.S. Government
Save & Share: Previous: Anti-Virus On A Mac?
Next: New QuickTime Version Plugs 7 Security Holes
Posted by: Jesse Ruderman | November 5, 2007 6:48 AM | Report abuse
Posted by: James | November 5, 2007 8:04 AM | Report abuse
Posted by: inge | November 5, 2007 10:18 AM | Report abuse
Posted by: Richard Muller | November 5, 2007 10:39 AM | Report abuse
Posted by: Jeff Carter | November 5, 2007 10:53 AM | Report abuse
Posted by: anon | November 5, 2007 11:00 AM | Report abuse
Posted by: Network Admin | November 5, 2007 11:56 AM | Report abuse
Posted by: tjohn | November 5, 2007 12:22 PM | Report abuse
Posted by: Bk | November 5, 2007 12:26 PM | Report abuse
Posted by: Doug J | November 5, 2007 12:35 PM | Report abuse
Posted by: Bk | November 5, 2007 12:44 PM | Report abuse
Posted by: Fred A | November 5, 2007 12:51 PM | Report abuse
Posted by: Bk | November 5, 2007 12:56 PM | Report abuse
Posted by: John L. Galt | November 5, 2007 5:43 PM | Report abuse
Posted by: Stephon Lewis | November 5, 2007 6:23 PM | Report abuse
Posted by: Doug J | November 5, 2007 11:30 PM | Report abuse
Posted by: Doug J | November 5, 2007 11:35 PM | Report abuse
Posted by: Critter | November 6, 2007 2:24 AM | Report abuse
Posted by: Critter | November 6, 2007 2:26 AM | Report abuse
Posted by: Critter | November 6, 2007 2:28 AM | Report abuse
Posted by: Sun Tsu | November 6, 2007 8:58 PM | Report abuse
Posted by: Srikanth | November 7, 2007 2:41 AM | Report abuse
Posted by: JP | November 7, 2007 9:25 AM | Report abuse
Posted by: George T | November 7, 2007 12:54 PM | Report abuse
Posted by: TJ | November 7, 2007 3:30 PM | Report abuse
Posted by: Carlos | November 8, 2007 1:15 AM | Report abuse
Posted by: t_joe | November 9, 2007 7:37 AM | Report abuse
Posted by: Chris | December 11, 2007 7:54 AM | Report abuse
The comments to this entry are closed.